Enterprise reputation risk presents management challenges. Even the finest organization's reputation may suffer serious and even irreparable damage from many disparate causes. Over the past years, risk controls were directed at capital losses arising from trading, market and credit risk. But today, the profound risk which must be identified, mitigated, controlled, and monitored is Enterprise Reputation Risk. Reputation risk, that is the loss of shareholder value resulting from a lack of customer and public confidence in the organization, must be effectively managed.
Reputation risk is very difficult to manage since it may be extremely complex to identify and manage. It requires a coordinated analysis and control of three separate, interrelated risks: business risk, regulatory risk and operational risk. It also requires the identification of sub-risks which may occur throughout any part of an organization: within or between front, back and middle offices, and even between the organization and outsource providers. It also requires the insertion of key controls and monitors, often in areas which have not been previously identified as key control points.
Few organizations have risk reduction methodologies in place across all areas or for all risk areas. Thus, reputation risk remains. For example, organizations such as banks which will follow the Basel II formula, set forth by the Basel Committee on Banking Supervision through the Basel Capital Accord, are already well aware of the limits and complexity of the Basel II methodology. Its principal focus is reducing Operational Risk, and it specifically excludes an analysis of many overlapping areas of risk which give rise to enterprise reputation risk, so the reduction of reputation risk via Basel II is limited.
Business Process Management (BPM) methods also reduce reputation risk, but only to a degree. A high quality BPM methodology yields measures and controls which give to management a set of metrics to manage in a cost effective and process efficient manner. However, BPM is, at heart, directed to cost control and efficiency rather than real risk reduction. In other words, an organization may spend millions on effective BPM and still have substantial exposure to reputation risk.
Thus, effective reputation risk management depends upon identifying risk and control at each process point. However, because of downsizing, rightsizing, mergers, acquisitions, technology implementations, and outsourcing, organizations find an enormous disconnect between their process and controls. For example, the planned control environment instituted at some past time does not conform to the process which has been implemented to meet business and service demands. This means that risk remains in the organization.
Process management and risk reduction may be even more complex for organizations which have implemented Basel II or Business Process Management (“BPM”). Basel II's operational risk definition is very limited and overlapping areas of risk may not be considered in the analysis. This leaves wide gaps and vulnerabilities. In addition, organizations which have implemented BPM may have effectively “mapped processes” and inserted control measures to maximize efficiency and cost reduction, but the underlying analysis of reputation risk factors is rarely accomplished. Thus, in both cases, management is left with a false sense of security.
A need exists for the creation of an ongoing method of effective control and monitoring of process and risk management in an organization.
It is therefore an object of the present invention to provide an interactive risk management system and method to allow a user to navigate from process to process to access and review associated data, to thereby obtain information about selected processes and associated risks.